pam_yubico for ssh on CentOS 7

Get EPEL:

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install pam_yubico:

yum install -y pam_yubico

Set selinux boolean to permit sshd to make http connects:

setsebool -P authlogin_yubikey 1

Configure pam: (/etc/pam.d/sshd)

#%PAM-1.0
auth    required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Yubikey authentication
auth       required     pam_yubico.so id=16
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

Create ~/.yubico/authorized_yubikeys and put your username and yubikey id code in:

root:ccccccduetdf

Edit /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Reload sshd:

systemctl reload sshd